Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-01-2021 18:42
Static task
static1
Behavioral task
behavioral1
Sample
CFDI__Manager__12365.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CFDI__Manager__12365.exe
Resource
win10v20201028
General
-
Target
CFDI__Manager__12365.exe
-
Size
809KB
-
MD5
5b7c3ff3556606c67a61527f81579eee
-
SHA1
75299ed8a21eebe1b1969e065e80f02ad21d4267
-
SHA256
82e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
-
SHA512
6484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
13773ik9_1.exeumy1e759eek3.exes5uks1k73q.exepid Process 380 13773ik9_1.exe 1080 umy1e759eek3.exe 1316 s5uks1k73q.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\13773ik9.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\13773ik9.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\13773ik9.exe\"" explorer.exe -
Processes:
CFDI__Manager__12365.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CFDI__Manager__12365.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exepid Process 5056 CFDI__Manager__12365.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
CFDI__Manager__12365.exe13773ik9_1.exedescription pid Process procid_target PID 4764 set thread context of 5056 4764 CFDI__Manager__12365.exe 73 PID 380 set thread context of 0 380 13773ik9_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeCFDI__Manager__12365.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CFDI__Manager__12365.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CFDI__Manager__12365.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\13773ik9_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\13773ik9_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
explorer.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 2060 powershell.exe 2060 powershell.exe 2568 powershell.exe 2264 powershell.exe 2528 powershell.exe 2528 powershell.exe 2060 powershell.exe 2528 powershell.exe 2264 powershell.exe 2568 powershell.exe 2264 powershell.exe 2568 powershell.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe 792 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
CFDI__Manager__12365.exepid Process 5056 CFDI__Manager__12365.exe 5056 CFDI__Manager__12365.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CFDI__Manager__12365.exepid Process 5056 CFDI__Manager__12365.exe -
Suspicious use of AdjustPrivilegeToken 116 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 5056 CFDI__Manager__12365.exe Token: SeRestorePrivilege 5056 CFDI__Manager__12365.exe Token: SeBackupPrivilege 5056 CFDI__Manager__12365.exe Token: SeLoadDriverPrivilege 5056 CFDI__Manager__12365.exe Token: SeCreatePagefilePrivilege 5056 CFDI__Manager__12365.exe Token: SeShutdownPrivilege 5056 CFDI__Manager__12365.exe Token: SeTakeOwnershipPrivilege 5056 CFDI__Manager__12365.exe Token: SeChangeNotifyPrivilege 5056 CFDI__Manager__12365.exe Token: SeCreateTokenPrivilege 5056 CFDI__Manager__12365.exe Token: SeMachineAccountPrivilege 5056 CFDI__Manager__12365.exe Token: SeSecurityPrivilege 5056 CFDI__Manager__12365.exe Token: SeAssignPrimaryTokenPrivilege 5056 CFDI__Manager__12365.exe Token: SeCreateGlobalPrivilege 5056 CFDI__Manager__12365.exe Token: 33 5056 CFDI__Manager__12365.exe Token: SeDebugPrivilege 792 explorer.exe Token: SeRestorePrivilege 792 explorer.exe Token: SeBackupPrivilege 792 explorer.exe Token: SeLoadDriverPrivilege 792 explorer.exe Token: SeCreatePagefilePrivilege 792 explorer.exe Token: SeShutdownPrivilege 792 explorer.exe Token: SeTakeOwnershipPrivilege 792 explorer.exe Token: SeChangeNotifyPrivilege 792 explorer.exe Token: SeCreateTokenPrivilege 792 explorer.exe Token: SeMachineAccountPrivilege 792 explorer.exe Token: SeSecurityPrivilege 792 explorer.exe Token: SeAssignPrimaryTokenPrivilege 792 explorer.exe Token: SeCreateGlobalPrivilege 792 explorer.exe Token: 33 792 explorer.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeIncreaseQuotaPrivilege 2060 powershell.exe Token: SeSecurityPrivilege 2060 powershell.exe Token: SeTakeOwnershipPrivilege 2060 powershell.exe Token: SeLoadDriverPrivilege 2060 powershell.exe Token: SeSystemProfilePrivilege 2060 powershell.exe Token: SeSystemtimePrivilege 2060 powershell.exe Token: SeProfSingleProcessPrivilege 2060 powershell.exe Token: SeIncBasePriorityPrivilege 2060 powershell.exe Token: SeCreatePagefilePrivilege 2060 powershell.exe Token: SeBackupPrivilege 2060 powershell.exe Token: SeRestorePrivilege 2060 powershell.exe Token: SeShutdownPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeSystemEnvironmentPrivilege 2060 powershell.exe Token: SeRemoteShutdownPrivilege 2060 powershell.exe Token: SeUndockPrivilege 2060 powershell.exe Token: SeManageVolumePrivilege 2060 powershell.exe Token: 33 2060 powershell.exe Token: 34 2060 powershell.exe Token: 35 2060 powershell.exe Token: 36 2060 powershell.exe Token: SeIncreaseQuotaPrivilege 2528 powershell.exe Token: SeSecurityPrivilege 2528 powershell.exe Token: SeTakeOwnershipPrivilege 2528 powershell.exe Token: SeLoadDriverPrivilege 2528 powershell.exe Token: SeSystemProfilePrivilege 2528 powershell.exe Token: SeSystemtimePrivilege 2528 powershell.exe Token: SeProfSingleProcessPrivilege 2528 powershell.exe Token: SeIncBasePriorityPrivilege 2528 powershell.exe Token: SeCreatePagefilePrivilege 2528 powershell.exe Token: SeBackupPrivilege 2528 powershell.exe Token: SeRestorePrivilege 2528 powershell.exe Token: SeShutdownPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeSystemEnvironmentPrivilege 2528 powershell.exe Token: SeRemoteShutdownPrivilege 2528 powershell.exe Token: SeUndockPrivilege 2528 powershell.exe Token: SeManageVolumePrivilege 2528 powershell.exe Token: 33 2528 powershell.exe Token: 34 2528 powershell.exe Token: 35 2528 powershell.exe Token: 36 2528 powershell.exe Token: SeIncreaseQuotaPrivilege 2264 powershell.exe Token: SeSecurityPrivilege 2264 powershell.exe Token: SeTakeOwnershipPrivilege 2264 powershell.exe Token: SeLoadDriverPrivilege 2264 powershell.exe Token: SeSystemProfilePrivilege 2264 powershell.exe Token: SeSystemtimePrivilege 2264 powershell.exe Token: SeProfSingleProcessPrivilege 2264 powershell.exe Token: SeIncBasePriorityPrivilege 2264 powershell.exe Token: SeCreatePagefilePrivilege 2264 powershell.exe Token: SeBackupPrivilege 2264 powershell.exe Token: SeRestorePrivilege 2264 powershell.exe Token: SeShutdownPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeSystemEnvironmentPrivilege 2264 powershell.exe Token: SeRemoteShutdownPrivilege 2264 powershell.exe Token: SeUndockPrivilege 2264 powershell.exe Token: SeManageVolumePrivilege 2264 powershell.exe Token: 33 2264 powershell.exe Token: 34 2264 powershell.exe Token: 35 2264 powershell.exe Token: 36 2264 powershell.exe Token: SeIncreaseQuotaPrivilege 2568 powershell.exe Token: SeSecurityPrivilege 2568 powershell.exe Token: SeTakeOwnershipPrivilege 2568 powershell.exe Token: SeLoadDriverPrivilege 2568 powershell.exe Token: SeSystemProfilePrivilege 2568 powershell.exe Token: SeSystemtimePrivilege 2568 powershell.exe Token: SeProfSingleProcessPrivilege 2568 powershell.exe Token: SeIncBasePriorityPrivilege 2568 powershell.exe Token: SeCreatePagefilePrivilege 2568 powershell.exe Token: SeBackupPrivilege 2568 powershell.exe Token: SeRestorePrivilege 2568 powershell.exe Token: SeShutdownPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeSystemEnvironmentPrivilege 2568 powershell.exe Token: SeRemoteShutdownPrivilege 2568 powershell.exe Token: SeUndockPrivilege 2568 powershell.exe Token: SeManageVolumePrivilege 2568 powershell.exe Token: 33 2568 powershell.exe Token: 34 2568 powershell.exe Token: 35 2568 powershell.exe Token: 36 2568 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
s5uks1k73q.exepid Process 1316 s5uks1k73q.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
CFDI__Manager__12365.exeCFDI__Manager__12365.exeexplorer.exes5uks1k73q.exedescription pid Process procid_target PID 4764 wrote to memory of 5056 4764 CFDI__Manager__12365.exe 73 PID 4764 wrote to memory of 5056 4764 CFDI__Manager__12365.exe 73 PID 4764 wrote to memory of 5056 4764 CFDI__Manager__12365.exe 73 PID 4764 wrote to memory of 5056 4764 CFDI__Manager__12365.exe 73 PID 4764 wrote to memory of 5056 4764 CFDI__Manager__12365.exe 73 PID 5056 wrote to memory of 792 5056 CFDI__Manager__12365.exe 76 PID 5056 wrote to memory of 792 5056 CFDI__Manager__12365.exe 76 PID 5056 wrote to memory of 792 5056 CFDI__Manager__12365.exe 76 PID 792 wrote to memory of 380 792 explorer.exe 80 PID 792 wrote to memory of 380 792 explorer.exe 80 PID 792 wrote to memory of 380 792 explorer.exe 80 PID 792 wrote to memory of 1080 792 explorer.exe 81 PID 792 wrote to memory of 1080 792 explorer.exe 81 PID 792 wrote to memory of 1080 792 explorer.exe 81 PID 792 wrote to memory of 1316 792 explorer.exe 82 PID 792 wrote to memory of 1316 792 explorer.exe 82 PID 792 wrote to memory of 1316 792 explorer.exe 82 PID 1316 wrote to memory of 2060 1316 s5uks1k73q.exe 84 PID 1316 wrote to memory of 2060 1316 s5uks1k73q.exe 84 PID 1316 wrote to memory of 2264 1316 s5uks1k73q.exe 86 PID 1316 wrote to memory of 2264 1316 s5uks1k73q.exe 86 PID 1316 wrote to memory of 2528 1316 s5uks1k73q.exe 87 PID 1316 wrote to memory of 2528 1316 s5uks1k73q.exe 87 PID 1316 wrote to memory of 2568 1316 s5uks1k73q.exe 91 PID 1316 wrote to memory of 2568 1316 s5uks1k73q.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\13773ik9_1.exe/suac4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\umy1e759eek3.exe"C:\Users\Admin\AppData\Local\Temp\umy1e759eek3.exe"4⤵
- Executes dropped EXE
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\s5uks1k73q.exe"C:\Users\Admin\AppData\Local\Temp\s5uks1k73q.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Google Updater 2.09\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
MD5
90e605c7715d0176aad22e2998b7e553
SHA13a47d8979bae208b9c8d29f97d27a3c04cfd089e
SHA25626c9324f65b72c1f04e06a7b2781a1e1d9d0344e210af0b08d3549658fb76bc7
SHA512b0b201d63859e8b5bbdbf3048e33ce833a757e8065f31e6be35ff153eedcc06745935e491bf4589710f9e7ae312bd9f4523d81502b5e34b5f66cbec927795639
-
MD5
005002555db0bf03ff21848ee947aba3
SHA1e3611a788bf54a9a3b4d0207fb01918d9fbccb19
SHA256d495bd3dc404c98a5423d418f4203f1a4fa02e666db8f686f28abaa896e2e5cb
SHA5125978674700e56fe65f4c2da82b9bd8bf4e8174b4031ccf7e31fc494771046915622d2486a83b52475d97943e2b380b5af9257a48b1a2fb6654c9c0e5890d9787
-
MD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
MD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
MD5
4fd50d4173e873a52e7841fe2a3f921e
SHA14ffd734a7877f78fdf2b65b37e90b2db3be20fe3
SHA256456b6497adb103204e78b1888c75cc73a6e61e8aa1d5eec27eb594f98e0601ed
SHA5125c272aeb5a27d905251d4e41216d69060eebe2d978602f339776486bbb007ea294183921a7c57c8a8dafaf50080df08b411f45610dfebd6a61d7dc28658d8ab0
-
MD5
4fd50d4173e873a52e7841fe2a3f921e
SHA14ffd734a7877f78fdf2b65b37e90b2db3be20fe3
SHA256456b6497adb103204e78b1888c75cc73a6e61e8aa1d5eec27eb594f98e0601ed
SHA5125c272aeb5a27d905251d4e41216d69060eebe2d978602f339776486bbb007ea294183921a7c57c8a8dafaf50080df08b411f45610dfebd6a61d7dc28658d8ab0
-
MD5
dc9127dc898edcb166176abfc891ee59
SHA1400466e887170c260628143430d08335a88d5298
SHA2564490550a55d971b2305d209e9a9d6fdb4954fb1c4c435d0b1f4e98d84a938074
SHA51285347b252c34c39b8781a592af94de66dc65908c8d2c92a447cc8fca4996eea65e4c0875f891c9372ff51873c05894f846d9e37e965959f4c5c5d0367e0afb4c
-
MD5
dc9127dc898edcb166176abfc891ee59
SHA1400466e887170c260628143430d08335a88d5298
SHA2564490550a55d971b2305d209e9a9d6fdb4954fb1c4c435d0b1f4e98d84a938074
SHA51285347b252c34c39b8781a592af94de66dc65908c8d2c92a447cc8fca4996eea65e4c0875f891c9372ff51873c05894f846d9e37e965959f4c5c5d0367e0afb4c